Applying WS-Security Signatures and Encryption to a SOAP Web Service


When deploying SOAP web services through Forum Sentry, many use cases call for applying WS-Security to the SOAP requests and responses.  Specifically, applying / verifying digital signatures and encrypting / decrypting the documents. 


Sample Sentry Task List

Attached is a Sentry Task List (FSG file), built for Sentry v8.3,  that illustrates in a single task list how to encrypt/sign and then verify/decrypt with Forum Sentry.

The import password is password.

When you run the task list with all tasks enabled (click Run), Sentry will do the following processing in this order:

  1. encrypt the sample document
  2. sign the sample document
  3. verify the applied signature from step 2
  4. decrypt the document
  5. remove the WS-Security header - leaving you with the same sample message you started with

In this example, the SOAP Body element is what is encrypted and signed. Note that multiple elements within the request/response messages can be encrypted and signed.



Sample Document - The Sample Document on the task list should be representative of the message (request or response) that Sentry would be processing at run time. This is used to build the XPath expressions used in the tasks.  If you want to sign or encrypt a specific element (not the SOAP body) you'll need to load your own sample document.  Likewise, if you just want Sentry to decrypt a document, you'll need to load a sample document that has encrypted elements.  You can import sample documents on the Resources-->Documents page of the WebAdmin interface.

Testing - While testing with this example Task List, disable certain tasks in the list and run it again to see the resulting file.  Be sure to check the System log at DEBUG level to see the processing being done.

Customization - This sample task list provides the framework in Sentry for this type of WS-Security processing. There are several options on each of the tasks (the selected are the most commonly used). It may be necessary to tweak these settings to be interoperable with different trading partners.

PKI - They key pair (public / private keys) used in this task list is attached in case you need the keys outside of Sentry (for instance to load into SOAPSonar to use for signing a request document). This is a US DoD test key pair and it includes the private key, the end user cert, 2 intermediate certs, and the root CA cert. The import password is password.


Article is closed for comments.